The user_logout code is calling the php function session_destroy, but that alone will not destroy a session, the api session_regenerate() should be used instead because it will remove the cookie from the web browser and replace the old value with the newly generated session id.

Comments

kbahey’s picture

kbahey commented
Status: Active » Closed (duplicate)

There is a patch here http://drupal.org/node/304991

Please review it if you think it is a good idea.